Global Readiness: Universal Data Protection & Privacy Compliance

CASL | PIPEDA | CAN-SPAM | CCPA 2018 | GDPR | ePrivacy

Global laws and regulations are part of doing business in this Global, data-oriented economy. The more we use data in marketing & sales, the more privacy issues arise. Regulation is inevitable and businesses cannot afford to ignore them. Yet your organization cannot create policies & procedures for every law out there! How do you develop global data & privacy policies & procedures that meet or beat all laws and regulations - GDPR, CASL, PIPEDA, CCPA 2018, and all of the other laws being developed as we speak?

Our UNIVERSAL Data & Privacy Program™ (UDPP) allow leaders to sleep better knowing they are intelligently managing Global business risks for all of the markets they do business in. We work with your team to set up data, privacy and communication practices so they are compliant in all countries while being a single workable process for your staff.

“I sleep better knowing we are compliant.”

Pat Shaw
Former Executive Director, TechConnex

“Compliance to local laws is not optional. We make it our business to understand local laws and comply with them.”

“Thank you for the single-best presentation on this subject (CASL) I’ve seen.”

For those who may have missed the public letter to Minister Bains from our Federal Privacy Commissioner, regarding Canada's lack of action in the area of privacy laws. Daniel Therrien is not mincing words.

I am writing you in the context of the National Digital and Data Consultations you launched this past summer, and further to my last discussion with Deputy Minister John Knubley this fall. I have been reflecting a great deal on the Government’s overall strategy to position Canada as a global leader in an increasingly fast-paced digital and data-driven economy, and I would like to offer some views within this context.

The digital revolution is causing us to examine some of the most fundamental questions of our time. It is not an exaggeration to say that the digitization of so much of our lives is reshaping humanity. There are lofty ambitions for the power of digital technologies and big data, and its anticipated ability to drive productivity, growth and competitiveness, and improve our lives in various ways. Yet, at the same time, we have reached a critical tipping point upon which privacy rights and democratic values are at stake. Recent events have shed light on how personal information can be manipulated and used in unintended, even nefarious, ways. I am growing increasingly troubled that longstanding privacy rights and values in Canada are not being given equal importance within a new digital ecosystem eagerly focused on embracing and leveraging data for various purposes. Individual privacy is not a right we simply trade away for innovation, efficiency or commercial gain.

Global opposition to the mass collection of personal data for commercial and political purposes is growing rapidly, and even tech giants are recognizing that the status quo cannot continue. Apple Chief Executive Tim Cook recently spoke of a “data industrial complex” and warned that, “our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency.” He added, “(t)his is surveillance.” Likewise, Facebook’s Mark Zuckerberg admitted that his company committed a “serious breach of trust” in the Cambridge Analytica matter. Both companies have expressed support for a new U.S. law, similar to Europe’s General Data Protection Regulation (GDPR). You know that the ground has shifted and that we have reached a crisis point when the tech giants have become outspoken supporters of serious regulation. Now is the time to ensure we adopt the best approach for Canadians.

ISED launched its National Digital and Data Consultations this past summer with the message that, to spur digital innovation, investment, and job creation in Canada, citizens must have trust and confidence that their data and privacy will be protected. On privacy and trust, ISED asked Canadians how government should achieve the right balance between protecting privacy and innovation, as well as ways to increase citizens’ trust and confidence on data use “while not impeding innovation.” I am wary of this discourse as it suggests to Canadians that privacy is at odds with innovation, or similarly, that privacy is at one end of the spectrum and digital innovation at the other.

The Government rightly points out that Canadians must have trust and confidence that their data and privacy will be protected. However, I strongly believe that the trust needed to allow the digital economy to flourish, and the social license the government will need from Canadians to innovate with their personal data, hinges on having an appropriate legal framework in place. Yet, when it comes to effecting real legislative change in this context, the Government has been slow to act, putting at continued risk the trust Canadians have in the digital economy and confidence that our Canadian values will be preserved.

We should remember that the Canadian Charter of Rights and Freedoms and the federal Privacy Act were concurrently debated in Canada and born of the realization that privacy rights are intrinsic to other fundamental rights and values including liberty, dignity, and freedom from government intrusion. Privacy is more than a set of technical rules and administrative safeguards; it is certainly not a barrier as is often implied. Instead, it is a necessary precondition for the protection of fundamental values in Canada and worthy of legal protections. At a time when new and intrusive targeting techniques are already influencing democratic processes, and data analytics, automated decision-making technologies, and artificial intelligence are raising important ethical questions that have yet to be answered, Canadians need stronger privacy laws, not more permissive ones. Our laws should protect us when organizations fail to do so.

Under PIPEDA, organizations have a legal obligation to be transparent and accountable, but Canadians cannot rely exclusively on companies to manage their information responsibly. Transparency and accountability are necessary, but they are not sufficient. The reality is that our principles-based law is quite permissive and gives companies wide latitude to use personal information for their own benefit. While our law should probably continue to be principles-based and technologically neutral, it must be rights-based and drafted not as an industry code of conduct but as a statute that confers rights, while allowing for responsible innovation.

There is such a model emerging in the U.S., with Democratic Representatives pushing for an Internet Bill of Rights. It would be principles-based but would also establish rights for consumers. The list of rights includes opt-in consent for collection and sharing of data with a third party, a right related to data portability, a right to have personal information secured and to be notified following a security breach, a right to have an entity that collects personal information to have reasonable business practices and accountability to protect privacy, and probably most importantly, a right not to be unfairly discriminated against or exploited based on one’s personal data. To be sure, these rights would have to be supported by more comprehensive legislation and real remedies, but it is refreshing to see these proposals. They are a simple and clear way to frame principles-based legislation for privacy, compared to our industry code of practice-inspired Act which the courts have said is often difficult to interpret, and importantly, apply.

The position paper for ISED’s national consultation suggested we need an “intentional and agile approach to legislation and regulation that can assist in unlocking the full potential of the digital and data revolution.” Indeed, but I would stress that we cannot allow Canadian democracy to be disrupted, nor can we permit our institutions or rights to be undermined in a race to digitize everything and everyone, simply because technology makes this possible. Canada should simultaneously pursue privacy and innovation, and Privacy by Design is an excellent way to achieve both.

In my recent appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the study of the breach of personal information involving Cambridge Analytica and Facebook, I commented that while the EU GDPR is a major development in data protection and offers several excellent solutions, we should seek to develop an approach that reflects the Canadian context and values, including our close trading relationships within North America, with Europe, and the Asia Pacific region. Along these lines, I proposed that a new Canadian law include the following important aspects. It should:

Continue to be technology neutral and principles-based, because these features enable the law to endure over time and create a level playing field, but it should mostly be drafted as a rights based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.

Maintain an important place for meaningful consent but it should also consider other ways to protect privacy where consent may not work, for instance in certain circumstances involving the development of artificial intelligence. The concept of ‘legitimate interest’ in the GDPR may provide one such alternate approach.

Empower a public authority to issue binding guidance or rules that would clarify how general principles and broadly framed rights are to apply in practice. A principles based legislation has important virtues, but it does not bring an adequate level of certainty to individuals and organizations. Binding guidance or rules would ensure a more practical understanding of what the law requires. They could also be amended more easily than legislation as technology evolves.

Confer to the OPC stronger enforcement powers, including the power to make orders and impose fines for non-compliance with the law. These powers should include the right to independently verify compliance, without grounds, to ensure organizations are truly accountable to Canadians for the protection of their personal information.

Give the OPC the ability to choose which complaints to investigate, in order to focus limited resources on issues that pose the highest risk or may have greatest impact for Canadians. At the same time, to ensure no one is left without a remedy, give individuals a private right of action for PIPEDA violations.

Allow different regulators to share information. Meaningful protection of consumers and citizens in the fast-paced digital and data-driven economy understandably must involve several regulators, and they must be able to better coordinate their work.

Finally, it is absolutely imperative for privacy laws to be applied to Canadian political parties.

I believe the best way for Canada to position itself as a digital innovation leader is to demonstrate how we can establish a framework for innovation that also successfully protects Canadian values and rights, and protects our democracy. I offer this feedback in an effort to promote a more balanced approach in Canada, and ensure we assign equal importance to the treatment of data as a valuable asset and the value of privacy in our society. I look forward to hearing the outcomes of your consultations with Canadians. Please note that I am ready to discuss these important issues further, and to engage on legislative reform.

Valuable consideration is not defined under CCPA, but the act authorizes the attorney general to provide guidelines in furtherance of the CCPA’s purpose, and it is expected that a public consultation period will open in 2019.

Arguably the most important right the California Consumer Privacy Act provides to California residents is the right to opt-out of data sales. “Sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” Valuable consideration is not defined under CCPA, but the act authorizes the attorney general to provide guidelines in furtherance of the CCPA’s purpose, and it is expected that a public consultation period will open in 2019.

Under contract law, one of the requirements for the formation of a contract is the existence of valuable consideration. California law defines consideration as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.” Moreover, where the agreement is in writing, California law provides that “[a] written instrument is presumptive evidence of a consideration.” There are many examples of contract formation with non-monetary consideration. For example, in a non-disclosure agreement, one party agrees to allow another access to confidential information (a detriment) in exchange for service (a benefit).

Article 3 of the GDPR was written to address when GDPR applies. Fact is, it left more questions than answers and the EDPB has delievered the long awaited guidelines for public consultation, in order to clear up some of the confusion.

The European Data Protection Board (EDPB, the successor to the Article 29 Working Party) has issued guidelines (for consultation) on one of the key foundation elements of the General Data Protection Regulation (GDPR); namely, Article 3 on territorial scope.

Article 3 is supposed to answer the important questions of when GDPR applies (depending on the location of an entity processing personal data, or of the individuals whose data is being processed). Unfortunately, Article 3 was drafted in a way that left many key concerns unanswered.

The Guidelines 3/2018 on the territorial scope of the GDPR adopted on 16 November 2018 (Guidelines) seek to answer some of those concerns.

The EDPB was somewhat delayed in issuing this much trumpeted document. It was supposedly agreed in principle (subject to legal checks) at its plenary meeting over three months ago. Perhaps those legal checks found some issues since it wasn't until the next plenary meeting (on 16 November) that the document was issued.

Thankfully, it was worth the wait – since there is some valuable guidance for those trying to navigate difficulties inherent in the drafting of Article 3.

Article 3

Before turning to the Guidelines it is worth recapping Article 3. It is in two (main) parts:

Article 3(1) (the "establishment" criteria) provides that GDPR applies to processing "in the context of an establishment" of a controller or processor in the EU.

Article 3(2) (the "targeting" criteria) provides that GDPR applies to non-EU controllers or processors in two situations (i) those that offer goods or services to individuals in the EU ("targeting by selling") and (ii) those who monitor the behaviour of individuals in the EU ("targeting by monitoring").

Article 3(1)

We are an EU company, does GDPR apply to us?

Of course. Any entity incorporated or registered within the EU is of course "established" there.

My company is incorporated in, say, Mexico, but I have a branch or office in the EU - does GDPR apply?

Very likely, yes. Whilst "establishment" is not in fact defined, Recital 22 makes clear that

“[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect"

The Guidelines reiterate this. What is important is that there is some permanent ("stable") presence, and a branch office of a non-EU company will generally fulfil this requirement. Indeed, the Guidelines suggest that a mere one person or agent may be enough to indicate such presence.

My company is a processor and incorporated in the EU, but all customers are non-EU entities – does GDPR apply?

According to the Guidelines, GDPR applies to the processor (subject to the data being processed "in the context" of the establishment) since the processor is indeed established in the EU. It is irrelevant that the controller is not in the EU for the purposes of the processor's compliance. However, using a processor in the EU does not, automatically, make the non-EU controller subject to GDPR. See below!

We are a controller, but not in the EU. However, we do have an EU sales affiliate, but that entity does not actually process personal data itself – so presumably we are both outside of scope?

Not necessarily. The Guidelines support and restate the decisions of the Court of Justice of the European Union that it is possible even for non-EU entities to be "established" in the EU.

The processing need not be by the entity which has an establishment in the EU (in this example, the EU sales affiliate); GDPR will apply to any entity involved if the processing is "in the context" of the establishment in the EU.

This is the same outcome as in the Google Spain case. All that is required is an "inextricable link" between the non-EU entity and the EU establishment. If that exists, then in effect the EU affiliate is also an establishment of the non-EU entity – and GDPR applies to the non-EU entity even if the EU affiliate plays no actual role in processing. The EDPB makes clear that the language in Article 3(1) must be understood in the context of that decision (and other decisions such as Weltimmo).

My company is established in the EU, but we only sell to individuals out of the EU – does GDPR apply?

Yes. The processing of the data about individuals is in the "context of the establishment" of your company, the controller, in the EU. The Guidelines reiterate that it is irrelevant that the data subjects are not in the EU. GDPR is in this respect "nationality blind".

The Guidelines give an example of a French company selling to individuals in North Africa – GDPR applies.

We are an EU company but outsource all our processing activities to entities outside of the EU

GDPR still applies. The processing remains in the context of the EU establishment. The location of the actual processing is irrelevant.

We are a processor outside of the EU, but our customers are within the EU

GDPR does not directly apply to the processor. This is a situation where it had been possible to read Article 3(1) as extending GDPR to the non-EU entity only because it services EU controllers. The Guidelines helpfully end this line of interpretation.

Whilst GDPR does not directly apply to the processor, the Guidelines emphasise the indirect application through Article 28. The controller within the EU is obliged to ensure (under Article 28) that certain data protection obligations are accepted by the processor under contract.

We are a controller outside of the EU, but we are using an EU processor

GDPR does not apply to the controller simply because it chooses to use a processor in the Union.

This is also helpful from EDPB as, again, it is possible to read Article 3(1) more widely (that the processor being within the EU was sufficient to make the controller subject to GDPR).

The Guidelines clarify that such a controller is outside of scope of GDPR on the "establishment" criteria (but of course if EU citizens' data is processed then Article 3(2) might apply). The EU processor, however, will be subject to the GDPR (see above).

We are that EU processor (our customer is outside the EU), do we have to comply with all parts of GDPR?

There was a worry that if the customer was not subject to GDPR, that the processor might be responsible for such things as ensuring a legal basis and other controller responsibilities (since no other entity was within the EU).

The Guidelines (again) helpfully make clear that the processor only has to comply with processor obligations.

Article 3(2)

We are NOT an EU company, so GDPR does not apply to us

No. If you are established outside the EU, you may still be caught by the GDPR under article 3(2). Keep reading.

We are outside the EU and selling goods and services into the EU

Yes, clearly, under Article 3(2) it is enough for you to be targeting your goods or services in the EU (see further below on "targeting").

But our services are only targeted to non-EU nationals (the diaspora of our country)

Again, GDPR is nationality blind. The Guidelines make clear that presence in the EU is enough.

OK, but we are only providing our service to US tourists whilst on vacation in the EU

This depends on whether there is targeting towards those individuals whilst in the EU or if the fact that they are within the EU is only incidental. If the key feature is to provide the service to individuals because they are within the EU, then GDPR will apply and the fact that they are only there temporarily is irrelevant.

But if the tourists just happen, say, to read a US news website whilst in the EU, that will not make that site subject to GDPR. This is in fact an example given by the EDPB and perhaps inspired to prevent some well publicised US news companies from geo-blocking EU visitors because of GDPR (see a BBC news story here).

We provide our online services from outside the EU to individuals within the EU but do not charge for them

The Guidelines reiterate that the fact that a service is free is irrelevant. GDPR will still apply if services are targeted to them.